Can't change lighttpd's port for HaProxy reverse proxy Topic is solved

[Joulinar]

yes it's going to recreated all the files. Is the service set to active now ?

[Rilic]

I can use the haproxy command! We're getting somewhere. Now it's just a config problem on my end, as per the validation command. Will let you know if I get it working!

[Rilic]

Alright, so it looks like it's working! HaProxy is passing example.com connections to port 8080, where lighttpd is.
I only have two problems now:

- I might use SSL pass-through instead of SSL termination for my servers. This would mean I'd only need to run certbot once for each subdomain used and not have to manually renew it. However, it also means that I need to set up lighttpd to use SSL on port 8080, somehow.
- I'm having a problem getting my gitea instance seen by haproxy. It's set to pass through git.example.com connections to port 3000, but I don't know if I've done it right as it's just passing it through to lighttpd.

Any tips for any of this? I'd really appreciate it. Also, thanks a lot for sticking with me through all of this. I really hope this isn't getting annoying!

[Joulinar]

can you share you haproxy conf file?

[Rilic]

Code: Select all

global

	# rsyslog is required for logging
	#log /var/log    local0
	#log /var/log    local1 notice
	maxconn 64
	log 127.0.0.1 local0 notice
	# Jail directory
	chroot /var/lib/haproxy
	stats socket /run/haproxy.sock mode 660 level admin
	stats timeout 30s
	user root
	group root
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL).
	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults

	log     global
	mode    http
	option  httplog
	option  dontlognull
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
	bind *:80
	bind *:443
	acl sub1 hdr_sub(host) -i example.com
	acl sub2 hdr_sub(host) -i git.example.com
	
	use_backend lighttpd_backend if sub1
	use_backend gitea_backend if sub2

backend lighttpd_backend
	mode http
	option forwardfor
	server lighttpd_server 127.0.0.1:8080

backend gitea_backend
	mode http
	option forwardfor
	server gitea_server 127.0.0.1:3000

# Admin web page

	listen stats
	bind *:4264
	stats enable
	stats uri /
	stats hide-version
	stats auth admin:dietpi

[Joulinar]

ok I adjusted the frontend section slidly. This will forward every request to lighttpd_backend except requests for git.example.com

Code: Select all

frontend http-in
        bind *:80
        bind *:443
#       acl sub1 hdr_sub(host) -i example.com
        default_backend lighttpd_backend
        acl sub2 hdr_sub(host) -i git.example.com

#       use_backend lighttpd_backend if sub1
        use_backend gitea_backend if sub2

But I need to say that I'm not an expert on HaProxy config files. There might better ways

[Rilic]

It's still not routing git.example.com to 127.0.0.1:3000... It seems like it's not reading the domain properly. Is there any help you can give there, or should I go to a different forum for specifically HaProxy stuff?

[Joulinar]

This is the config file I'm using. And I'm able to reach gitea

global

# rsyslog is required for logging
#log /var/log local0
#log /var/log local1 notice
maxconn 64
log 127.0.0.1 local0 notice
# Jail directory
chroot /var/lib/haproxy
stats socket /run/haproxy.sock mode 660 level admin
stats timeout 30s
user root
group root
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

Code: Select all

defaults

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        bind *:443
#       acl sub1 hdr_sub(host) -i example.com
        default_backend lighttpd_backend
        acl sub2 hdr_sub(host) -i git.example.com

#       use_backend lighttpd_backend if sub1
        use_backend gitea_backend if sub2

backend lighttpd_backend
        mode http
        option forwardfor
        server lighttpd_server 127.0.0.1:8080

backend gitea_backend
        mode http
        option forwardfor
        server gitea_server 127.0.0.1:3000

# Admin web page

        listen stats
        bind *:4264
        stats enable
        stats uri /
        stats hide-version
        stats auth admin:dietpi

Did you cleared cache on your browser as well? Did your restart HaProxy service?

Yes indeed, consulting a pure HaProxy fucussing board might be a good option. These guys most probably more knowledgeable than we are.

[Rilic]

It has suddenly struck me that Gitea is still using the normal domain (example.com:3000), rather than its subdomain (git.example.com), as well as using HTTPS on port 3000. Might it be redirecting to the top domain, which then sends it to lighttpd through HaProxy?

[Rilic]

There's a change in the problem. It's almost working, though!

It's accepting a connection on git.example.com and forwarding it to port 3000!

I'm getting this error on firefox:
SSL_ERROR_RX_RECORD_TOO_LONG

This is happening on both lighttpd and Gitea.

I think it has something to do with HaProxy. Are you any help here, or?